Importing private keys on Nitrokey HSM

Hi,

I’ve seen some similar topics, but it looks like other use cases are a bit different. I need to import a pre-generated RSA private key and certificate into Nitrokey HSM. With the certificate it goes quite smoothly, but attempt to import a private key gives out various errors depending on what module I use:

$ pkcs11-tool --module opensc-pkcs11.so --login --pin 648219 -w /opt/pkey.pem -y privkey -d 1
   Using slot 0 with a present token (0x1)
   error: PKCS11 function C_CreateObject failed: rv = CKR_ATTRIBUTE_VALUE_INVALID (0x13)

$ pkcs11-tool --module /usr/lib/libsc-hsm-pkcs11.so --login --pin 648219 -w /opt/pkey.pem -y privkey -d 1
  Using slot 0 with a present token (0x1)
  error: PKCS11 function C_CreateObject failed: rv = CKR_TEMPLATE_INCONSISTENT (0xd1)

I’ve found a similar issue with SmartCard-HSM, but first I’m not sure if it’s relevant to Nitrokey-HSM and second I haven’t found any information about how to import a key from *.p12 either.
Would be very grateful for any hints.

Thanks,
Anton Gerasimov

Hi @OYTIS,

I would say the link you provided is already the clue you need. Normally one is not supposed to import private keys but should rather create a new within the Nitrokey HSM instead.

Yes it is relevant. The Nitrokey HSM contains a SmartCard-HSM.

I think the linked issue in the original issue (I mean the one about .p12) is not the important information here. As far as I can see you can use the SDK software of CardContact to import private keys if you really need to.

Please have a look at http://www.cardcontact.de/cdn/about.html as this seems to be the only way to manage what you want to do.

I hope it works for you!

Kind regards
Alex

Hi @nitroalex,

thank you for your support. Luckily today this can even be done without accessing CardContact’s CDN, the newest version of the importing algorithm is in a publicly available Github repository. I’m now stuck with importing something else than RSA, but I think only CardContact can help me there.

Best regards,
Anton

2 Likes

Hi,

thanks a lot for you feedback! Good to know.

It seems you are right that it’s probably CardContacts turn now.

Kind regards
Alex